Skip to content

Bit9

← Back to Blog
18 Mar 2011

RSA and the APT Attack

Kate Munro

(Note: This is the first of a two-part Bit9 post.) Top security company RSA, the eponymous founder of the IT security industry’s largest conference, announced late Thursday in time for the Friday news cycle, that it has been a victim if a very “sophisticated” attack. Intruders succeeded in stealing information on the company’s SecureID two-factor authentication products, according to the company.

SecurID is that little dongle that adds a layer of protection to the login process by requiring the computer user to enter a secret number cryptographically generated every 30 seconds.

According to the RSA blog: “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

It begs the question: Is the algorithm compromised? Is it now “one factor” authentication for these millions of users?

It’s got a lot of people wondering today whether the SecurID card that is allowing them to access their corporate network and view sensitive information is secure. Could this go so far as to affect an RSA customer’s IP and eventually its billion-dollar market cap?

RSA (owned by EMC) as of yet has not provided any details about when the attack happened, how long it lasted, when it was discovered or how it happened. As a consequence there is much speculation in the media, in blogs and in the Twitterverse. RSA categorized the attack as an advanced persistent threat (APT.) APT attacks often use zero-day vulnerabilities and are  targeted attacks, thus are rarely detected by antivirus and intrusion detection systems. The intrusions are known for being stealthy, lying in wait in a company’s network, sometimes for years, even erasing all trace of themselves after stealing data.

The attack that Google announced last year was considered an APT attack, and, like many intrusions in this category, was linked to China. The hackers are looking to find vulnerabilities in commonly used programs. Anything that is ubiquitous. SecurID is ubiquitous squared as it gives access to millions of users and company data.

RSA, a division of EMC, also filed a disclosure with the Securities and Exchange Commission, which includes this list of recommendations for customers who might be affected:

• We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.

• We recommend customers enforce strong password and pin policies.

• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.

• We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.

• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.

• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.

• We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.

• We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.

• We recommend customers update their security products and the operating systems hosting them with the latest patches.

This has the potential to make the news for a long time to come and become one of those attacks that sits on the cyber attack timeline in the history of information security. It also will push the more security sensitive corporations to consider adding additional layers of defense to protect against advanced persistent threats (APTs). A month ago, RSA talked about their vision of how to handle APTs here. We have recently interviewed a long list of large corporations on what they are doing to prevent APT attacks and it was definitely a layered approach. What we learned about what companies are doing will be in part II of this post next week.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US